Spyware exploited vulnerability in Samsung Galaxy devices through malicious WhatsApp images
Take action: If you have a Samsung Galaxy device, immediately update to the latest software update. Your devices can be targeted by active spyware. Be extra cautious opening image files on WhatsApp or other messaging apps. Attackers used weaponized photos to install spyware.
Learn More
Security researchers from Palo Alto Networks' Unit 42 team are reporting an Android spyware campaign that exploited a critical zero-day vulnerability in Samsung Galaxy devices through malicious images distributed via WhatsApp.
The spyware family, dubbed LANDFALL, exploited a flaw tracked as CVE-2025-21042 (CVSS score 8.8) in Samsung's Android image processing library to conduct extensive surveillance operations targeting individuals primarily in the Middle East.
The LANDFALL campaign operated undetected from at least July 2024 until Samsung patched the vulnerability in April 2025. The vulnerability affects Samsung Galaxy devices running Android versions 13 through 16, including the S22, S23, and S24 series, as well as the Galaxy Z Fold4 and Z Flip4 devices.
Attackers embedded the spyware within malformed DNG (Digital Negative) image files that were delivered to targets through WhatsApp messages. The malicious files appeared as ordinary image attachments with filenames such as "WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg" and "IMG-20240723-WA0000.jpg," suggesting they were sent via the popular messaging platform.
Researchers did not find vulnerabilities in WhatsApp itself. The application was used as a delivery mechanism for the weaponized images. Unit 42 discovered the LANDFALL campaign while investigating a parallel exploit chain targeting Apple iOS devices in August 2025. Their search for iOS exploit samples led to the identification of several suspicious DNG files uploaded to VirusTotal throughout 2024 and early 2025. The researchers discovered six samples of malicious DNG files between July 23, 2024, and February 10, 2025, which contained embedded ZIP archives appended to the end of legitimate-looking image files. These archives held the spyware components that were extracted and executed by exploiting the Samsung vulnerability.
Analysis of the spyware revealed extensive surveillance capabilities designed for comprehensive data collection:
- Microphone recording and call interception
- Real-time location tracking via GPS
- Collection of photos and camera access
- Contacts database extraction
- Call logs and SMS messages
- Browsing history and application data
- Device fingerprinting including IMEI, IMSI, and hardware details
- Network configuration and VPN status monitoring
- Arbitrary file access and database extraction
The spyware communicated with its command-and-control infrastructure over HTTPS using non-standard TCP ports. Researchers identified six C2 servers associated with the campaign, with domains including brightvideodesigns[.]com, hotelsitereview[.]com, healthyeatingontherun[.]com, and projectmanagerskills[.]com.
Analysis of VirusTotal submission data indicates potential targets in Iraq, Iran, Turkey, and Morocco. Turkey's national CERT is reporting IP addresses used by LANDFALL's C2 servers as malicious and APT-related. Unit 42 researchers describe this as "a precision espionage campaign, targeting specific Samsung Galaxy devices in the Middle East," rather than mass malware distribution.
Samsung patched CVE-2025-21042 in its April 2025 security update, and there is no ongoing risk to users who have applied this patch or later updates. In September 2025, Samsung also patched the related vulnerability CVE-2025-21043, protecting against similar attack vectors. Samsung users should verify their devices are running the April 2025 Security Maintenance Release or later by checking Settings → Software update → Download and install.
